Professional Documents
Culture Documents
Cisco SD-WAN & Security Bootcamp 20.1
Cisco SD-WAN & Security Bootcamp 20.1
BOOTCAMP
SWITZERLAND
20. – 22.9.2021
Objective:
▪ Gain skills and knowledge to design, deploy and demonstrate Cisco SD-WAN solutions
▪ Self-sufficient POC/POV delivery to customers
Prerequisites:
▪ Solid understanding of WAN technologies
▪ Understanding of Cisco SD-WAN (aka Viptela) solution
Agenda
▪ Your Name
▪ Role
▪ Objective
Lab Topology
Everything
defaults
here
Cisco SD-WAN Solution Overview
vManage
APIs
Management/
3rd Party
Orchestration Plane
vAnalytics
Automation
vBond
vSmart Controllers
Control Plane
MPLS 4G
INET
WAN Edge Routers
Data Plane
Cloud Data Center Campus Branch SOHO
Orchestration Plane
vBond Orchestrator
vManage
Main Characteristics
APIs ▪ Orchestrates control and
management plane
3rd Party
vAnalytics
Automation ▪ First point of authentication
▪ Distributes list of vSmarts /
vBond vManage to all WAN Edge
routers
vSmart Controllers
▪ Facilitates NAT traversal
▪ Requires public IP Address
MPLS 4G
[could sit behind 1:1 NAT]
INET
▪ Highly resilient
WAN Edge Routers
▪ Multitenant or single tenant
vManage
vManage
Main Characteristics
APIs ▪ Single pane of glass for Day0,
Day1 and Day2 operations
3rd Party
vAnalytics ▪ Centralized provisioning
Automation
vBond
▪ Multitenant or single tenant
▪ Policies and Templates
vSmart Controllers ▪ Troubleshooting and Monitoring
▪ Software upgrades
MPLS 4G
▪ GUI with RBAC
INET
▪ Programmatic interfaces (REST,
WAN Edge Routers
NETCONF)
▪ Highly resilient
Cloud Data Center Campus Branch SOHO
Control Plane
vSmart Controller
vManage
Main Characteristics
APIs ▪ Facilitates fabric discovery
3rd Party ▪ Dissimilates control plane
vAnalytics
Automation information between WAN Edge
vBond ▪ Distributes data plane and app-
aware routing policies to the
vSmart Controllers WAN Edge routers
▪ Implements control plane policies
MPLS 4G ▪ Dramatically reduces control
INET plane complexity
WAN Edge Routers ▪ Highly resilient
Branch Aggregation
ISR 900 ISR 1000 ISR 4000 ASR 1000
vEdge 5000
vEdge 100 vEdge 1000 & 2000
SD-WAN
• Modular
• 4G LTE & Wireless • Fixed/Pluggable Module • RPS
Multi-Domain:
Adv Security1: Rich Services2: Caching,
Integrated Border for
App FW, IPS, URL-F, AMP DRE, Integrated Voice:
Campus and DC fabric
and ThreatGrid SRST, FXO, FXS
(SDA, ACI)
Routing: App-Aware Routing, Full Mesh, Cloud and Analytics: CloudOnRamp for Voice Optimization: FEC, Packet
Basic Security: Next Gen FireWall
Dynamic Routing IaaS and SaaS, vAnalytics Duplication, TCP Optimization3
(1) Advanced Security only on ISRs (2) Integrated Voice Support only on ISRs (3) Voice Optimization on ISR and vEdge Only
Key 20.1 Features
•
•
•
•
•
•
•
•
•
•
•
•
Key Cisco IOS XE Release 17.2 Features
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Programmatic APIs
REST
vManage Main Characteristics
▪ Programmatic control over all
APIs
aspects of vManage
vAnalytics
3rd Party administration
Automation ▪ Secure HTTPS interface
vBond ▪ GET, PUT, POST, DELETE
methods
vSmart Controllers
▪ Authentication and authorization
▪ Bulk API calls
MPLS 4G
▪ Python scripting
INET
WAN Edge Routers
vAnalytics
vManage
Main Characteristics
▪ Cloud-based analytics engine
APIs
▪ Optional solution element
3rd Party
vAnalytics
Automation ▪ Analyze fabric telemetry
▪ Capacity projections
vBond
▪ SLA violation trends
vSmart Controllers ▪ Utilization anomaly detection
▪ Application QoE
4G
▪ Carrier grading
MPLS
▪ Data anonymization
INET
WAN Edge Routers ▪ Opt-in customer model
tunneling is used
T3 T4 T1 T2
Internet1 Internet
T3 T4 T1 T2
T1 T3
T3 Edge Edge
T1
Edge Edge T2 T4
T2 T4
MPLS
T1 T3 T2 T4
T1 T3 T2 T4
T1 T4 T2 T3
T1 T4 T2 T3
Color restrict will prevent attempt to establish IPSec tunnel to TLOCs with different color
Control Operation Walk-Through
Add vBondpushes
vManage and vSmart
serial
to vManage via
numbers to vBond and
NETCONF/YANG.
vSmart.
Temporary DTLS/TLS Tunnel CA
Transient DTLS/TLS Tunnel .crt
NETCONF/YANG
CSR CSR CSR
.crt
vEdge vSmart
Fabric Operation Walk-Through
OMP Update:
▪ Reachability – IP Subnets, TLOCs
vSmart
OMP ▪ Security – Encryption Keys
DTLS/TLS Tunnel
▪ Policy – Data/App-route Policies
IPSec Tunnel
OMP OMP
BFD Update Update
Policies
OMP OMP
Update Update
vEdge vEdge
Transport1
TLOCs TLOCs
Subnets Subnets
Full Cone NAT
Src=192.168.1.1:12346 Src=192.0.2.1:12346,
Dst=203.0.113.1:12346 Dst=203.0.113.1:12346
Src=203.0.113.1:12346 Src=203.0.113.1:12346
Dst=192.168.1.1:12346 Dst=192.0.2.1:12346
▪ Any external host can send packet to internal address:port by sending packet to external
address:port once the mapping has been created
Restricted Cone NAT
vEdge1 (192.168.1.1) NAT (Restricted Cone) vBond (203.0.113.1) vEdge2 (198.51.100.1)
Src=192.168.1.1:12346 Src=192.0.2.1:5678,
Dst=203.0.113.1:12346 Dst=203.0.113.1:12346
Src=203.0.113.1:12346 Src=203.0.113.1:12346
Dst=192.168.1.1:12346 Dst=192.0.2.1:5678
Src=198.51.100.1:12346
Src=192.168.1.1:12346
Dst=198.51.100.1:12346
X Src=192.0.2.1:5678,
Dst=198.51.100.1:12346
Dst=192.0.2.1:5678
Src=198.51.100.1:12346 Src=198.51.100.1:12346
Dst=192.168.1.1:12346 Dst=192.0.2.1:5678
▪ Any external host can send packet to internal IP address if the internal device initiates a
connection to the external host using previously created address mappings
Port Restricted Cone NAT
vEdge1 (192.168.1.1) NAT (Port Restricted Cone) vBond (203.0.113.1) vEdge2 (198.51.100.1)
Src=192.168.1.1:12346 Src=192.0.2.1:5678,
Dst=203.0.113.1:12346 Dst=203.0.113.1:12346
Src=203.0.113.1:12446
X Dst=192.0.2.1:5678
Src=203.0.113.1:12346 Src=203.0.113.1:12346
Dst=192.168.1.1:12346 Dst=192.0.2.1:5678
▪ Similar to Address restricted cone NAT with ports added to the mapping
Symmetric NAT
Src=192.168.1.1:12346 Src=192.0.2.1:5678,
Dst=203.0.113.1:12346 Dst=203.0.113.1:12346
Src=203.0.113.1:12346 Src=203.0.113.1:12346
Dst=192.168.1.1:12346 Dst=192.0.2.1:5678
Src=192.168.1.1:12346 Src=192.0.2.1:9012,
Dst=198.51.100.1:12346 Dst=198.51.100.1:12346
Src=198.51.100.1:12346 Src=198.51.100.1:12346
Dst=192.168.1.1:12346 Dst=192.0.2.1:9012
Src=198.51.100.1:12346
X Dst=192.0.2.1:5678
▪ Request from the same internal IP address and port to a specific destination IP address and
port is mapped to a unique external source IP address and port
▪ Only an external host that receives a packet from an internal host can send a packet back
NAT Traversal Combinations
Public Symmetric
Symmetric Symmetric
Direct IPSec Tunnel No Direct IPSec Tunnel (traffic traverses hub) Mostly Encountered
NAT Traversal – Dual Sided Full Cone
vBond
NAT Detection ▪ vBond discovers post-NAT public
IP1’ IP2’ IP and communicates back to
Port1 Port2 vEdges
vSmart
▪ STUN Server
▪ vEdges notify vSmart of their
post-NAT public IP address
NAT Filter: NAT Filter: ▪ NAT devices enforce no filter
Any source IP/Port Any source IP/Port
▪ Full-cone NAT
IP1’ Full Full IP2’
Port1 Cone Cone Port2
vBond
NAT Detection ▪ vBond discovers post-NAT public IP
IP1’ IP2’ and communicates back to vEdges
Port1 Port2 ▪ STUN Server
vSmart ▪ vEdges notify vSmart of their post-
NAT public IP address
▪ Symmetric NAT devices enforce
NAT Filter: filter
NAT Filter: Only from vBond
Any source IP/Port From IP1’/Port1 ▪ Only allows traffic from vBond
IP1’ IP2’ ▪ vEdge behind symmetric NAT
Symmetric
Port1
Full Cone
Port2 reaches out to remote vEdge
▪ NAT entry created with filter to allow
remote vEdge return traffic
IP1 IP2’ IP1’ IP2 ▪ Remote vEdge will learn new
Port1 Port2 Port1 Port2 symmetric NAT source port (data
vEdge1 vEdge2 plane learning)
▪ Port Hopping
▪ Adds increments from standard port to facilitate NAT-traversal
▪ Port Offset
▪ Configure a static offset from the standard port (+-20)
▪ Defaults:
▪ Base port 12346
▪ Port offset: 0
Flexible Deployment Options
NIC0 NIC1
▪ Cloud or on-premise deployment
▪ Separate interfaces for control and
management
▪ Separate VPNs for control and
management
▪ Zone-based security
VPN0 VPN512
▪ Minimal configuration for bring-up
▪ Connectivity, System IP, Site ID, Org-
Name, vBond IP
Control Management
Interface Interface
NIC0 NIC1
▪ Cloud or on-premise deployment
▪ Separate interfaces for control and
management
▪ Separate VPNs for control and
management
VPN0 VPN512 ▪ Zone-based security
▪ Minimal configuration for bring-up
▪ Connectivity, System IP, Site ID, Org-
Name, vBond IP (local)
Control Management
Interface Interface
NIC0 NIC1
▪ Cloud or on-premise deployment
▪ Virtual machine or container
▪ Separate interfaces for control and
management
▪ Separate VPNs for control and
VPN0 VPN512 management
▪ Zone-based security
▪ Minimal configuration for bring-up
▪ Connectivity, System IP, Site ID, Org-
Name, vBond IP
Control Management
Interface Interface
▪ System settings
▪ Management access
Performing Initial vManage Configuration (Cont.)
▪ Time must be
synchronized between
all components – use
NTP.
vManage System Settings (Org-Name and vBond)
vManage System Settings (Root CA Chain)
vManage System Settings (Smart Account)
Overview of Installation Steps - vBond
1-50 2 4 GB 8 GB 1 Mbps 2
51-250 2 4 GB 8 GB 2 Mbps 2
251-1000 2 4 GB 8 GB 5 Mbps 2
1001+ 4 8 GB 8 GB 10 Mbps 2
vBond
Authenticated
Sources
vSmart vManage
CPU
vEdge Control Plane Policing:
▪ 500pps per flow
▪ 10,000pps
vManage
Packet
Forwarding
Unknown vSmart
Note: vBond control plane policing
Sources is the same as vEdge
Other
Deny except:
DHCP, DNS, ICMP, NETCONF
Authenticated
Sources
vSmart vManage
CPU
Implicitly SD-WAN IPSec
Trusted
Sources Control Plane Policing:
vEdge ▪ 300pps per flow
▪ 5,000pps
Packet
Explicitly Forwarding
Defined
Sources
Cloud Security
Deny except:
Unknown 1. Return packets matching flow entry (DIA enabled)
Sources 2. DHCP, DNS, ICMP
* Can manually enable: SSH, NETCONF, NTP, OSPF, BGP, STUN
Other
Overview of Installation Steps - vSmart
1-50 2 4 GB 16 GB 2 Mbps 2
51-250 4 6 GB 16 GB 5 Mbps 2
251-1000 4 16 GB 16 GB 7 Mbps 2
1001+ 8 16 GB 16 GB 10 Mbps 2
▪ Setting up management
interface
Performing Initial vSmart Configuration (Cont.)
▪ Setting up VPN 0
interface for initial system
bring up
Local CA - Overview
▪ If using subordinate servers, make sure you export/import the full root-ca chain.
Generating Key and Self-signed Certificate Using
OpenSSL
TPM
During Manufacturing
Chip ▪ Each physical vEdge router is uniquely
identified by the chassis ID and certificate
serial number
▪ Each vEdge device has a serial number, which
is a 40-byte number that is included in the
device's certificate.
Device Certificate ▪ Certificate is stored in on-board Temper
Proof Module (TPM)
▪ Installed during manufacturing process
Root Chain
▪ Certificate is signed by Avnet root CA
▪ Trusted by Control Plane elements
▪ Cisco root CA chain of trust is used to
validate Control Plane elements
▪ Alternatively, Enterprise root CA chain of
In Software trust can be used to validate Control Plane
elements
Software Devices Identity
2 WAN Edge
Firewall Data Center
DMZ Core Switch 1
MPLS 3 INET
• • •
• •
•
•
• •
Cloud Hosted Deployment - Recommended
▪ You will need Dynamic Host Configuration Protocol (DHCP) with DNS and a default gateway
for Cisco Network Plug and Play (PnP).
▪ An Internet connection should allow communication to devicehelper.cisco.com using ports 80
and 443 for PnP.
▪ Smart Licensing is required in order to use PnP during the software upgrade from standard
Cisco IOS XE to the SD-WAN Cisco IOS XE software image.
▪ You will need the router’s serial number and Secure Unique Device Identifier (SUDI). Some
devices, such as the ASR-1002-X and the ISRv virtual router, DO NOT have a SUDI.
▪ Note that the serial number displayed with “show license udi” can be different from the SUDI
displayed with “show crypto pki certificates.” You will need both for PnP.
What is SUDI?
▪ Secure unique device identification (SUDI) is a Cisco Trust Anchor Technology designed to
give customers the confidence that the product is genuine.
▪ The SUDI is part of the device certification, which will be used to authenticate and identify the
device, and is utilized by the DeviceAuthentication PnP Service.
▪ When a PnP Server wants to authenticate a device, it will send a Device-Authentication work-
request to the PnP Agent on that device. The Agent will rely on the SUDI API (platform
dependent implementation) to generate the work-response.
Zero Touch Provisioning – vEdge HW Appliance
1 2 ▪ Delivered as-a-Service
3 4 5 ▪ Identities associated with overlay at
time of ordering
▪ Option1:
Full Registration
and Configuration ▪ DHCP on Transport Side (WAN)
▪ DNS to resolve ztp.viptela.com*
▪ Option2:
▪ Discover local addressing via ARP
▪ Google DNS: resolve ztp.viptela.com*
vEdge Router
Zero Touch Provisioning – vEdge Cloud
1
Cloud-Init
VM
Provisioning
3
5
Tool
2 Full Registration and
Configuration
4
▪ Assumption:
▪ DHCP on Transport Side (WAN)
vEdge Cloud
Zero Touch Provisioning - WAN Edge Router
Additional on-prem vBond server can be configured to perform dedicated ZTP role. Required
steps:
1. Activate ZTP role
▪ vBond(config)# system vbond ip-address local ztp-server
2. Obtain signed certificate by trusted CA (Cisco)
3. Upload the chassis CSV file
▪ vBond# request device-upload chassis-file path
4. Configure local DNS server to resolve ztp.viptela.com with vBond IP
5. Define device templates
Example: ZTP CSV File
Supported hypervisors:
▪ VMware ESXi 5.5 & 6.0
▪ KVM
▪ AWS
▪ Azure
Deploying vEdgeCloud OVF
▪ Setting up management
interface
▪ Generating bootstrap configuration to be able to extract UUID number and token for
vEdgeCloud activation
Activate vEdgeCloud/CSRv (Cont.)
Activate vEdgeCloud/CSRv (Cont.)
▪ Verification
Activate vEdgeCloud/CSRv - Verification
Connecting to Management Console
▪ From a terminal shell, access the console port with this command:
▪ $ screen /dev/tty.usbserial* 115200,cs8
cEdge Code Improvement
• Configuration via IOS CLI, DMI and many • Only Yang based configuration (vManage,
other forms Yang-CLI)
• •
• •
• •
• •
• •
Deployment Workflow
▪ Prerequisites
▪ Infrastructure
▪ Pre-provisioning
▪ Software image upload
▪ Reboot
▪ Verification
Prerequisites
If IOS-XE >16.6.1
▪ show crypto pki certificates
If IOS-XE SD-WAN
▪ show sdwan certificate serial
PnP Portal
▪ https://software.cisco.com
▪ Smart Account is required
PnP Portal – Adding Controller Profile
PnP - Adding Controller Profile Settings
PnP - Adding WAN Edge Devices
PNP - Providing Device Details
PnP – Downloading vManage License File
Converting ISR into SD-WAN WAN Edge Device on IOS
XE 17.2
▪ Tunnel Name = (Interface number without slashes) + (1000*subif number if subif present) +
(5000000 if serial interface) + (channel group * 1000)
▪ vManage templates automatically calculate needed tunnel number
Verification Commands
Installing Local Root CA
Checking Control Connections
• •
• •
• •
•
DTLS Connection Failure
• •
• •
•
•
Disabled TLOC
Probable causes:
▪ Clearing of Control Connections
▪ Changing the color on TLOC
▪ Change in System IP
▪ Change in any of the configs mentioned in the system block or in the tunnel properties
Challenge Response Rejected by Peer
▪ If the serial number is not present on the controllers for a given vEdge, the control connections
will fail
▪ Verify this by send to controllers option from vManage and / or show controllers [ valid-
vsmarts | valid-vedges ].
Certificate Verification Failed
▪ Certification verification failure is when certificate cannot be verified with the root cert
installed.
Organizational Name Mismatch
▪ For a given a overlay, the Org. Name has to match across all the controllers and vEdges so that
control connections can come up.
▪ If not, you will see “Certificate Org. name mismatch” as seen below in the “show control
connections” output.
Certificate Revoked/Invalidated
▪ The certificate will be revoked in case of controllers or vEdge serial number is invalidated
High Availability and Redundancy Overview
vSmart Controllers
MPLS Control
Data
Center
INET Data MPLS
Site
INET
Redundancy - Site with LAN Bridging
Host Host
Redundancy - Site with LAN Routing
Host
Redundancy – Meshed Transports
vedge-51 vedge-52
ge0/1 ge0/1
100.5.5.51/24 100.5.5.52/24
Redundancy – Path and Headend
Remote
Site
SD-WAN Controller Redundancy
Active Active
Active Active
Hash
DNS 1 permanent connection Hash
per-transport
1 transient connection 1 permanent connection
AMER EMEA
vManage vBond Group2
Group1 vSmart
vSmart APAC
vBond Group3
vBond
Group 2,1
vSmart
FQDN AMER Group 1,2 FQDN EMEA
WAN Edge
SD-WAN Controller Large Scale Deployment
vSmart:
system
Controller-group-id 3
EMEA
USA
system
max-omp-sessions 2
Controller-group-list 1 2 APAC
!
vpn 0 Affinity Logic
Interface ge0/0 1) Attach to # of vSmarts up to max-omp-sessions
2) Attach to # of vSmarts up to max-control-connections per TLOC
tunnel-interface
3) Prefer Group 1 and continue with Group 2 as allowed by session budget
max-control-connections 2
4) Never attach to Group 3
exclude-controller-group-list 3 5) If Group 1 and 2 are unavailable try any other available group except for 3
!
!
Data Plane Scale
T1 T2 Tn
ECMP
vEdge100 – 250
vEdge1000 - 1500
vEdge2000/5000 - 6000
IOS-XE SDWAN Expected Performance
No magic here
vManage ▪ It’s still the same forwarding
plane doing the work
▪ SDWAN XE calls on same
features as Cisco IWAN = same
performance impact.
▪ Expect performance in line with
vBond IWAN numbers
vSmart Controllers
MPLS 4G
INET
Main DC - ZDC
DC Core DC Core
SW1 SW2
PFR-MC
CE1 CE2
MPLS Internet
MPLS Internet
▪ SD-WAN to non-SDWAN
Legacy
interoperability
SD-WAN
Overlay
Overlay ▪ DC becomes hub
▪ Per VRF routing
DC/non-SDWAN SD-WAN
▪ Core learns legacy
CE1
prefixes prefixes CE2 overlay routes and SD-
(OMP) (OMP)
WAN overlay routes
Non-SDWAN prefixes ▪ Route redistribution both
(OSPF/BGP)
VPN0 VPN0 ways
OMP-to-
DC/SDWAN
prefixes VPN1-N VPN1-N BGP/OSPF
(OSPF/BGP)
Core Switches
Step 3: Branch Migration
Traffic Flow Use Cases
▪ Between Migrated & Legacy Branches in Different Region via SD-WAN Overlay
Templates - Overview
▪ Types:
▪ Device templates
▪ Feature templates
▪ CLI Templates
Benefits:
▪ Reuse any Cisco vEdge-specific vManage feature templates for Cisco IOS XE Routers.
▪ Make multiple changes to a CLI template in a single edit.
▪ Use a single configuration across multiple devices of the same device models.
▪ Define custom length for variables in CLI Templates.
▪ Use any existing IOS-XE device intent configuration as input for CLI template.
▪ Content of a CLI template can be used across multiple IOS-XE device types (common CLIs like
VPN, VPN interface, BGP, OSPF and so on).
Limitations:
▪ Do not include commands for auxiliary ports, such as line aux 0.
Templates Migration
▪ Before Cisco IOS XE Release Amsterdam 17.2.1r, the same template was shared for both device
types:
▪ Cisco vEdge and Cisco IOS XE SD-WAN.
▪ Specified using Cisco vEdge commands.
▪ Converted, if required, for Cisco IOS XE devices.
▪ Some functionality was unavailable on Cisco IOS XE SD-WAN.
▪ Before Cisco IOS XE Release Amsterdam 17.2.1r, there are two types of shared templates:
▪ Shared feature templates: If you specify a Cisco IOS XE SD-WAN device when creating a feature
template, a shared feature template is created.
▪ Shared device templates: A device template that contains a shared feature template.
▪ In Cisco IOS XE Release Amsterdam 17.2.1r and onwards, the feature templates have been
separated for Cisco vEdge devices and Cisco IOS XE SD-WAN devices.
▪ Enable support for additional features.
▪ Cisco vManage can migrate your older, shared feature templates to the new templates.
List of Migrated Templates
List of Migrated Templates (Cont.)
Template Migration
Template Migration (Cont.)
Configuration Templates Structure
Features
System
Default Setting
Security System default value
vManage
Transport Global Variable
Same value on all attached devices
WAN Edge
Centralized Device Configuration via Templates
WAN Edge
▪ Once feature template is defined through device template, you can only view it. For editing
navigate to Feature Templates.
BFD Custom Template
•
•
•
•
•
•
OMP Custom Template
•
•
•
Transport & Management VPN Templates
VPN Template
VPN Interface - Template
VPN Interface - Template (Cont.)
Service VPN Template
Service VPN Template (Cont.)
Applying the Device Template
Applying the Device Template – Attaching Devices
▪ CSV can be opened with favorite spreadsheet tool (Excel, Calc, etc)
▪ Values are separated using commas
▪ All previously defined variable values are preserved
Applying the Device Template – Uploading CSV
▪ When saving CSV file make sure you preserve the format
▪ Use upload button to import the configured values
Applying the Device Template – Provisioning
Example: Error in Variable Value
Dynamic
Dynamic (OSPF/EIGRP/BGP) ▪ Supported dynamic routing
(OSPF/EIGRP/BGP)
Static
protocols on service side:
Static ▪ OSPF
Connected
Connected ▪ EIGRP
Site2 ▪ BGP
vSmart ▪ OMP learns and translates
Site1 routing information across
the overlay:
OMP ▪ OMP routes (vRoutes),
▪ TLOC routes,
Site3
▪ network service routes.
Site4
Connected
▪ OMP performs path selection,
Connected
loop avoidance and policy
Static implementation
Static Dynamic
Dynamic (OSPF/EIGRP/BGP)
(OSPF/EIGRP/BGP)
OMP Routes
vpn 10
router
ospf
redistribute omp
area 0
interface ge2/0
exit
interface ge3/0
exit
exit
!
!
interface ge2/0
ip address 10.0.5.12/24
no shutdown
!
interface ge3/0
▪ Other common OSPF features are also supported:
ip address 10.0.2.12/24 ▪ Passive interfaces,
no shutdown ▪ Authentication,
!
▪ Hello and dead timer customization,
omp
advertise ospf external ▪ Default information originate,
▪ Summarization.
Configuring Service Side OSPF Using Template
Configuring Service Side OSPF Using Template (Cont.)
Verifying OSPF
INFO LOCAL AS
VPN PREFIX ID NEXTHOP METRIC PREF WEIGHT ORIGIN PATH PATH STATUS TAG
-------------------------------------------------------------------------------------------------------------
20 10.2.2.0/24 0 0.0.0.0 1000 50 0 incomplete Local valid,best 0
20 10.2.3.0/24 0 0.0.0.0 1000 50 0 incomplete Local valid,best 0
20 172.16.255.118/32 0 10.0.31.11 0 - 0 incomplete 65002 valid,best,external 0
Configuring Service Side BGP Using CLI
vpn 20
router
bgp 65001
neighbor 10.0.31.11
no shutdown
remote-as 65001
!
address-family ipv4-unicast
redistribute omp
propagate-aspath
!
!
omp
advertise bgp
overlay-as 65000
INFO LOCAL AS
VPN PREFIX ID NEXTHOP METRIC PREF WEIGHT ORIGIN PATH PATH STATUS TAG
-------------------------------------------------------------------------------------------------------------
20 10.2.2.0/24 0 0.0.0.0 1000 50 0 incomplete Local valid,best 0
20 10.2.3.0/24 0 0.0.0.0 1000 50 0 incomplete Local valid,best 0
20 172.16.255.118/32 0 10.0.31.11 0 - 0 incomplete 65002 valid,best,external 0
Policy Overview
Centralized policy definition configured on vManage and enforced across entire network
vSmart Policy Architecture (Cont.)
▪ Any entity not matched in a sequence is subject to the default action for
the policy.
- Attributes
- Path Selection
Policy Framework
Centralized and Localized Policies
vManage
NETCONF/YANG
OMP
▪ The Cisco SDWAN policy software design provides a clear separation between centralized and localized policies.
Centralized policy is provisioned on the centralized vSmart controllers and the localized policy is provisioned on
WAN Edge routers
▪ With Localized Data policy, also called an access list, you can provision QoS to:
▪ Classify incoming data packets into multiple forwarding classes based on importance.
▪ Spread the forwarding classes across different interface queues.
▪ Schedule the transmission rate or weights for each queue
OMP OMP
vManage vSmart
Centralized Direction
Deployment
Site-ID
Out In
Site-ID Control Policy
VPN SD-WAN
AAR Policy**
WAN Edge
(Site-ID)
Direction*
Site-ID VPN1 VPN2
VPN
▪ DSCP marking done by the localized data policy can be used for matching in app-
route policy and centralized data policy.
▪ Unconditional transport path selection for applications/flows can only be done via
centralized data policy.
▪ Control policies are configured on vManage, and enabled and enforced on vSmart controllers. They do
not get forwarded to WAN Edge routers.
▪ Control policies operate on OMP routing information received from or sent to WAN Edge routers. They
can filter OMP updates or modify various attributes.
▪ Control policies can be a very powerful tool for changing routing behavior of the entire SD-WAN fabric
▪ Traffic Engineering
▪ Extranet VPNs
Define topology
Creating a centralized policy
Define traffic rules
Creating a centralized policy
Define data policies
Creating a centralized policy
Activating and editing policies
Control Policy Example – Arbitrary VPN Topologies
▪ Problem: Different VPNs must be provided with different connectivity based on
applications being serviced in each VPN
VPN 1: CRM System = Hub and Spoke, VPN 2: Voice = Full Mesh
Control Policy
Policy Details:
vSmart VPN1
VPN1 VPN2
Control Policy Example – Arbitrary VPN Topologies
policy apply-policy
lists site-list Branches
site-list Branches control-policy ArbitraryTopology out
site-id 1-3
!
vpn-list CRM
Control Policy
vpn 1
!
vSmart VPN1
control-policy ArbitraryTopology Data Center
sequence 10
match route VPN1
VPN1
vpn-list CRM
site-list Branches
! Cisco SD-WAN
action reject
!
Site1 Site3
!
default-action accept VPN2 Site2 VPN2
VPN1 VPN2
Control Policy Example – Data Center Priority
▪ Problem: Prefer main data center over DR data center. If main data center fails, traffic should reroute
to DR data center.
▪ Solution: Deploy control policy to influence TLOC priority
Control Policy
Policy Details:
vSmart Main DR
DC DC Set higher preference on main data center
TLOCs than on DR data center TLOCs
Preference is set on all TLOC colors using
TLOC list
Cisco SD-WAN
Site3
Control Policy Example – Data Center Priority
lists
site-list Branches
site-id 3-10
tloc-list Main-DC-tlocs Main DR
tloc-id 10.1.1.1 gold vSmart DC DC
tloc-id 10.1.1.1 mpls
control-policy prefer-Main-DC
sequence 10
match tloc
tloc-list Main-DC-tlocs
action accept Cisco SD-WAN
set preference 50
apply-policy
site Branches
control-policy prefer-Main-DC out Site3
Control Policy Example – Shared Services
▪ Problem: Services residing in a VPN must be shared across users residing in multiple
other VPNs. Some VPNs don’t need access to shared services.
▪ Solution: Deploy control policy with route exports
Control Policy
Policy Details:
vSmart Export VPN2 and VPN3 routes into
VPN100
shared service VPN100, and vice versa
Site2 VPN1 cannot communicate with VPN2,
VPN3 or VPN100
VPN1
Cisco SD-WAN
VPN2
Site1
Site3
VPN2 Site4
VPN1 VPN3
Control Policy Example – Shared Services
apply-policy control-policy extranet
site-list all-extranet-sites sequence 10
control-policy extranet in match route
! vpn-list extranet-clients
action accept
Control Policy
export-to vpn 100
!
sequence 20
vSmart match route
vpn 100
VPN100
prefix-list extranet-srv-prefix
action accept
Site2 export-to vpn-list extranet-clients
!
!
VPN1
default-action accept
!
▪ Problem: Certain departments require Firewall protection when interacting with data center
networks, while other departments do not
▪ Solution: Deploy a service chained Firewall service per-VPN
Firewall
Control Policy
Policy Details:
Advertise Firewall Service Regional hub advertises
vSmart
Regional Hub availability of Firewall service
VPN1 - Protected
Bi-directionally modify TLOC
next hop attribute for VPN1
traffic between Site1 and Data
Cisco SD-WAN Center to point at regional hub
TLOCs
Data
Center VPN2 - Open
Site10
Control Policy
Firewall
control-policy fw-service
Advertise Firewall Service sequence 10
vSmart match route
Regional Hub
vpn 1
VPN1 - Protected site-id 1
action accept
set service netsvc1 vpn 1
Cisco SD-WAN !
default-action accept
!
Data
Center VPN2 - Open
Site10 Site 1 apply-policy
VPN1 - Protected VPN2 - Open
site-list fw-inspected
control-policy fw-service out
!
Service Insertion (Cont.) – Returned Traffic
apply-policy
Data
site-list dc
Center VPN2 - Open
Site10 control-policy fw-service-
Site 1
return out
VPN1 - Protected VPN2 - Open
!
Hierarchical Traffic Policy
Needed tasks:
▪ Limit BFD sessions to intra-region and between hubs
▪ Adapt routing to support desired topology
Cisco SD-WAN
Hierarchical Traffic Policy (Cont.) – Region 1 Policy
▪ The default behavior of the SDWAN OMP architecture is to advertise any configured
VPN to any node where it is configured
▪ However, certain VPNs may be of a sensitive nature such that their membership must
be tightly controlled
▪ The VPN Membership Policy serves to restrict the distribution of VPN information from
vSmart to those that are explicitly approved
▪ Both Whitelist and Blacklist behavior can be established
▪ With a VPN Membership Policy, a node not explicitly allowed to participate in a VPN
may have the VPN configured but will only see local connectivity and routing
information
VPN Membership Policy Example
Policy Policy
lists vpn-membership acme_1
site-list sites_1 sequence 10
site-id site1 match vpn-list sites_1
site-id site2 action accept
! !
site-list sites_2 !
site-id site3 default-action reject
site-id site4 !
! vpn-membership acme_2
vpn-list sites_1 sequence 10
vpn 10, 20 match vpn-list sites_2
! action accept
vpn-list sites_2 !
vpn 30, 40 !
! default-action reject
! !
! !
▪ Data policies are configured on vManage, enabled on vSmart controllers and enforced
on WAN Edge routers
▪ Data policies act on application traffic characteristics such as source and destination
addresses, ports, protocol numbers and DSCP values
▪ A Data policy acts on an entire VPN and is not interface specific.
▪ Data policies are used to enable many services, such as:
▪ QoS Classification
▪ Service Chaining
▪ cflowd
▪ NAT
▪ Traffic Policing and Counting
▪ Transport Selection, TE
Centralized Data Policy Configuration
Step 1: Create a list of sites to which the Step 3: Create a data policy instance and associate it with a list of VPNs. Within
centralized data policy is to be applied the policy, create one or more numbered sequence of match–action pairs
policy policy
lists data-policy myDataPolicy
site-list mySites vpn-list myVPN
site-id 100-200 sequence 10
! match
app-list myApps
!
Step 2: Create lists of IP prefixes and action
VPNs, as needed accept
set
policy dscp 32
lists !
prefix-list myPrefixes
ip-prefix prefix/length
! Step 4: Apply the policy to one or more sites in the overlay network
vpn-list myVPN
vpn 1 apply-policy
! site-list mySites
app-list myApps data-policy myDataPolicy (all | from-service | from-tunnel)
app office365 !
app salesforce !
!
Specifying Data Policy - Overview
Data Policy Example – Application Firewall
▪ Task: Block FTP traffic between branch sites in VPN 2
VPN1 VPN1
Site1 Site3
VPN2 Site2 VPN2
VPN1 VPN2
Policy Example – Application Firewall
apply-policy
site-list branches
lists data-policy block_ftp all
site-list branches !
site-id 1-3
!
vpn-list corporate VPN1
vpn-id 2
!
app-list ftp Data Center
app ftp
VPN1 VPN1
data-policy block_ftp
vpn-list corporate
sequence 10
match
app-list ftp
action drop
! Site1
Site3
default-action accept
! VPN2
Site2 VPN2
VPN1 VPN2
Policy Example – Application Firewall - GUI
Policy Example – Application Firewall – GUI (Cont.)
Data Policy Example – Traffic Engineering
• Problem: Send critical applications over MPLS transport and non-critical applications over Internet transport
• Solution: Deploy data policy to set transport for relevant traffic
Data Policy
vSmart
Policy Details:
Bi-directionally set local
Site 2 TLOC for desired traffic
Override OMP routing
MPLS decision
Data Policy
Policy Example: Traffic Engineering
Firewall
Data Policy
Data
Other traffic apply-policy
Center site-list fw-inspected
Site10
data-policy fw-service from-service
HTTP traffic Other traffic
▪ Used in the traditional sense for controlling BGP, OSPF and redistribution
▪ Information exchange
▪ Attributes
▪ Path Selection
▪ Configured in CLI or using CLI configuration template or via GUI using Localized Policy.
▪ Examples: ▪ DPI and Flow Visibility
▪ QoS Policy Configuration policy
▪ Access Lists app-visibility
flow-visibility
▪ Traffic mirroring
Example: Access Lists
policy
access-list sample_acl ▪ Protocol 6 = TCP
sequence 10
match
▪ 17 = UDP
destination-ip 10.0.0.0/21
action accept
!
sequence 20
match ▪ Default implicit deny at the end of ACL
protocol 6
destination-ip 172.20.0.0/16 ▪ Define default-action to modify
destination-port 80
!
action accept
!
! ▪ Attached to interface in inbound or
vpn 1
interface ge0/2 outbound direction
access-list sample_acl in
WAN Edge Router Device QoS Overview
QoS Configuration Steps - Localized Data Policy
policy
qos-map MyQoSMap
qos-scheduler be-scheduler
qos-scheduler bulk-scheduler
qos-scheduler critical-scheduler
qos-scheduler voice-scheduler
!
!
vpn 0
interface ge0/1
qos-map MyQoSMap
!
!
Classification Using ACL (Localized Data Policy)
policy sequence 40
access-list Classify-ACL action accept
sequence 10 class best-effort
match set
dscp 46 dscp 0
action accept
class voice
sequence 20
match vpn 1
source-ip 10.1.1.0/24 interface ge0/0
destination-ip 192.168.10.0/24 access-list Classify-ACL in
action accept
class bulk-data
set
dscp 12
sequence 30
match
destination-ip 192.168.20.0/24
action accept
class critical-data
set
dscp 32
Marking and Re-marking
Default Behavior
▪ Comply with service providers
provisioned classes of service
▪ Ingress Classification
▪ DPI or 6 tuple matching using
Egress Interface
Ingress Interface
centralized or localized data policy
▪ Ingress interface marks/re-marks inner
DSCP
DSCP
DSCP
DSCP bits
▪ Inner DSCP bits are copied to the outer
Modify with
DSCP bits
Modify with
ACL/Data Policy re-write rules ▪ Egress interface re-write rules remark
outer DSCP bits
Example: Re-marking
policy
rewrite-rule transport ▪ Rewrite rule to overwrite the DSCP field of
class af1 low dscp 3
class af1 high dscp 4 the outer IP header in egress direction
class af2 low dscp 5
class af2 high dscp 6
class af3 low dscp 7 ▪ Can rewrite based on the drop profile
class af3 high dscp 8
class be low dscp 1
class be high dscp 2
!
!
vpn 0
interface ge0/0
rewrite-rule transport
!
!
Queueing
▪ Classification
WAN Edge
▪ Flow match on 6-tuple (ACL, Data Policy)
Q0 ▪ Application match on DPI (Data Policy)
Egress Interface
Ingress Interface
Q1
Q2 ▪ Per-Egress Interface Queuing
▪ Q0 is LLQ
Q7 ▪ WAN Edge control traffic (DTLS/TLS, BFD, routing
protocols) goes into Q0
▪ Not subjected to LLQ policer
Egress Interface
Ingress Interface
Egress Interface
Ingress Interface
Rate
Tokens ▪ Set PLP=High value for traffic that
Token Bucket exceeds configured policer rate
▪ There are no tokens in the
bucket
▪ Default is PLP=Low
policy policy
policer bursty-traffic lists
rate 1000000 site-list branch100
burst 20000 site-id 100
exceed remark vpn-list wan-vpn
access-list policer-bursty-traffic vpn 10
sequence 10 data-policy highest-priority
match vpn-list wan-vpn
source-ip 10.1.0.0/24 sequence 10
action accept match
policer bursty-traffic plp high
default-action accept source-ip 10.1.0.0/24
! action accept
vpn 1 counter bursty-counter
interface ge1/0 set local tloc-color red
ip address 10.1.0.1/24 default-action accept
no shutdown apply-policy
access-list policer-bursty-traffic in site-list branch100
data-policy highest-priority from-service
QoS - vEdgeCloud Specifics
policy
cloud-qos
cloud-qos-service-side
▪ cloud-qos - Enables QoS scheduling and shaping for traffic that the vEdgeCloud
receives from transport-side interfaces
▪ cloud-qos-service-side - Enable QoS scheduling and shaping for traffic that the
vEdgeCloud receives from service-side interfaces
Critical Applications SLA
▪ Poll Interval and Multiplier determine how quickly AAR policy will react
▪ Application-aware routing policy affects only traffic that is flowing from the service side
▪ If a single tunnel matches the SLA, data traffic is sent through that tunnel.
▪ If no tunnel matches the SLA, data traffic is sent through one of the available tunnels.
bfd bfd
app-route poll-interval hello-interval
bfd
app-route multiplier
App-route Policy Path Convergence
▪ Current Mean Latency is 20ms, when Latency jumps to 150ms as Bucket 1 collection starts
Application-Aware Routing Policy
▪ The SLA-class defines the required loss, latency and jitter thresholds for the application that is to go via the
overlay path
▪ The app-route-policy defines the traffic that is to belong to a defined class in a fashion similar to a data-
policy
▪ Configuring an app-route-policy includes a reference to a VPN-list to dictate which VPNs will benefit from
the policy at the listed sites
Application-Aware Routing Policy Configuration
policy
Step 2: Create SLA classes and traffic characteristics lists
to apply to matching application data traffic. vpn-list myVPN
vpn 10
!
policy
data-prefix-list approute-Prefixes
sla-class bulk-data-sla
ip-prefix 10.1.0.0/16
latency 150
!
!
app-list myApps
sla-class critical-data-sla
app office365
loss 5
app salesforce
latency 150
!
!
!
sla-class voice-sla
!
loss 1
latency 100
jitter 5
!
Application-Aware Routing Policy Configuration Cont.
Step 4: Create an application-aware routing policy Step 5: Within the policy, create one or more numbered sequence of match–action pairs
instance and associate it with a list of VPNs
policy
policy
app-route-policy myApproutePolicy
app-route-policy myApproutePolicy
vpn-list myVPN
vpn-list myVPN
sequence 10
!
match
!
app-list myApps
!
Step 6: Specify the default action for the policy action
sla-class critical-data-sla preferred-color mpls
!
policy !
app-route-policy myApproutePolicy sequence 20
vpn-list myVPN match
default-action sla-class bulk-data-sla dscp 46
! !
! action
! sla-class voice-sla preferred-color mpls
!
!
Step 7: Apply the policy to a site list: sequence 30
match
apply-policy destination-data-prefix-list approute-Prefixes
site-list mySites !
app-route-policy myApproutePolicy action
! backup-sla-preferred-color public-internet
! sla-class bulk-data-sla preferred-color biz-internet
!
Direct Internet Access
▪ Problem: Local Internet exit needs to be provided to guest WiFi users. Guest WiFi users need to be
isolated from corporate users.
▪ Solution: Deploy a data policy in guest VPN with a network address translation
Data Policy
vSmart
Internet Policy Details:
VPN1 – Corporate
Define NAT on transport side
interface
Cisco SD-WAN Data Policy
DIA
DIA NAT Force matching traffic in guest WiFi
Data
VPN2 – Guest
VPN through a locally defined NAT
Site Center on transport side interface
NAT
VPN1 – Corporate VPN2 – Guest
Data Policy
Example: Local DIA Using Data Policy
vpn 0 apply-policy
interface ge0/1 site-list wifi-sites
nat data-policy wifi-dia from-service
lists
vpn-list guest-wifi
Data Policy
vpn 2
site-list wifi-sites vSmart
site-id 10-15
Internet
data-policy wifi-dia VPN1 – Corporate
vpn-list guest-wifi
Cisco SD-
sequence 10 Data Policy
match WAN DIA
DIA NAT
destination-port 80 443
Data
action accept VPN2 – Guest
nat use-vpn 0 NAT Site Center
! VPN1 – Corporate VPN2 – Guest
default-action accept
Data Policy
DIA Using IP Prefix
vpn 0
interface ge0/1
nat ▪ Default NAT route cannot coexist with static
vpn 2
default route
ip route 0.0.0.0/0 vpn 0
vpn 2
router ▪ NAT route does not get redistributed into OMP
bgp 65000
address-family ipv4-unicast
redistribute nat
▪ Transport-side NAT
▪ 1:1 static NAT, which allow external connections to internal server is supported
since version 18.3
▪ Port forwarding
▪ Service-side NAT
▪ NAT pool interface + data policy
▪ Both dynamic and static NAT are supported
▪ Can translate internal or external source IP addresses
Tracking Transport Interface Status
system
▪ Tracking enables you to respond to
tracker dia
endpoint-ip 203.0.113.1 reachability status over WAN
interval 10
multiplier 1
VPN0
▪ WAN Edge router determines best performing DIA
DNS Query
WAN Edge Router Quality Probe circuit toward Cloud onRamp SaaS applications
(remote site)
based on vQoE scores
vQoE
VPC VPC
How to provide security,
VNET VNET
segmentation, QoS and
Cloud
Data Center
reliability to the cloud
workloads?
SD-WAN
Fabric
Campus
Remote Site
Branch
Cloud onRamp for IaaS – Attached Compute
▪ The Domain name of routers and mediation devices must be registered in DNS
▪ The Mediation Device must have an Access Function (AF) and Access
Function Provisioning Interface (AFPI)
▪ The Mediation Device must be part of an SNMP user group with access to
CISCO-TAP2-MIB
▪ SNMP must be enabled on the interfaces using the VPN interface feature
template
Lawful Intercept
Lawful Intercept – Installation
Step 1: Generate a license request
vManage# tools license request
Your org-name is: XYZ Inc
Your license-request challenge is:
Uwk3u4Vwkl8n632fKDIpKDEFkzfeJlhFQPOHopbvewmed0U83LQDgajO7GnmCIgA
Step 2: Contact Cisco Support and generate a license based on information from Step 1
Step 3: Install the license and reboot
IF IF MPLS
Service Transport
(VPNn) (VPN0)
IF IF INET
Route
Tables
A A
B B
C C
WAN Edge Router WAN Edge Router
OMP OMP
Update Update
Local
Local
Transport1
vEdge-A vEdge-B
Transport2
AES256-GCM
Control Plane
Remote
Remote
Traffic Encryption
Update Update
IPSec Security Associations IPSec Security Associations
vEdge vEdge
Router Router
Transports
Transports
Transports
Remote
Local IPsec
Remote
ESPv3 AES256 Local
Site 1 Site 2
Traffic Encrypted
Control Plane
with Key 2
DTLS/TLS
Traffic Encrypted
with Key 1
Control Plane Security
Traditional Branch Security
▪ Security enforcement at the branch is too costly, security enforcement at the data center is
too inefficient (for cloud)
▪ Segmentation over MPLS is underlay specific, segmentation over-the-top is operationally
cumbersome
▪ Per segment topology… forget about it! Cloud
VPN1 VPN2
Users Remote Site
VPN3
Data Center Firewall
Wide Area
Network
Users Remote Site
Why Security?
▪ Outside-in Threats
Corporate
Network ▪ Malware / Ransomware
Existing Security ▪ Phishing emails
Private Cloud
▪ Denial of Service
1. Avoid Backhauling
▪ Inside-out Threats
Benefit: Better use of WAN bandwidth
▪ Unauthorized access
Public ▪ Privilege escalation
2. Benefit Regional SaaS PoP MPLS INET Cloud
▪ Data Exfiltration
Benefit: Improves application performance
▪ Internal Threats
3. Better Application Performance
▪ Worm propagation
Benefit: Improves user experience No Security ▪ Unauthorized access
Branch WAN Edge
▪ Data Hoarding
4. Centralized Policy/Monitoring
Benefit: Consistent Security Policy & monitoring
Users
Threat Landscape and Types of Threats
Types of Threats
Threat Landscape
▪ Security bug / Vulnerability
▪ Cyber Warfare
▪ e.g.: Heartbleed, SMBv1 vulnerability, IKEv1
▪ Nation-State Sponsored vulnerability, SQL Injection, Buffer Overflow,
▪ Organized Crime / Targeted Attacks Cross-site request forgery, Cross Site Scripting
▪ Ransomware (XSS)
▪ Cryptojacking ▪ Malware
▪ Sextortion ▪ Viruses, Worms, Trojans
▪ Financially Motivated ▪ Phishing, Adware, Spyware, Scareware
▪ Keyloggers, Backdoors, Exploits, Rootkits
▪ Denial of Service
▪ e.g.: Dyn Attack (Oct 2016)
▪ Botnets
▪ e.g. : LinkedIn attack (Aug 2016), Deutsche
Telekom (Nov 2016)
High Profile Incidents and their Targets
VPN1 Users
VPN2 Compliance
Internet Internet
Internet Internet
Cisco - CSR Y Y Y Y Y Y
Cisco – ENCS (ISRv) Y Y Y Y Y Y
IPS / URL-F App Security Profile - Features Minimum Platform Platform Supported
Hosting Profile requirement
Default IPS + URLF (Cloud Lookup only) + 8GB Bootflash & ISR1K/4221X/4321
AMP (hash analysis) 8GB Memory 4331/4351/44xx
1 / 2 SP cores 4/8 vCPU CSR / ISRv
IPS + URLF (On-box DB + Cloud 16GB Bootflash &
High Lookup) + AMP (hash analysis) + 16GB Memory 4331/4351/44xx
Threat Grid (TG) 2 SP cores 4/8vCPU CSR/ISRv
IP Dest DNS
NBAR 2 VFR 4 CEF 5
Lookup 1 Security 3
▪ G0/0 – LAN facing
Ingress G0/0 ▪ G0/1 – WAN facing
• LAN to WAN
NAT DNS
FW IPS URL-F AMP NBAR Security
Egress G0/1
DNS Layer
VFR 2 NAT 3 CEF 4
1
Ingress G0/1
• WAN to LAN
FW IPS URL-F AMP DNS Layer NBAR
Egress G0/0
SD-WAN Security Overview
DNS/web layer
Firewall security Firewall Firewall URL Filtering
IPS
vManage IPS
Employee Guest
Application Aware Firewall
Service-VPN 1
Service-VPN 2 Service-VPN 3
Application Aware Firewall
▪ VPNs are applied to Zones, and Firewall Policies
are applied to zone pairs
▪ Zone policies are directional, provides directional
control of traffic
▪ Builds connections to allow return traffic
▪ TCP Enforcement
▪ First packet must be a SYN
▪ 3-way handshake must be completed before data
is transferred
▪ All subsequent traffic must fall within TCP window
▪ Stateful checking of traffic
▪ Examines Layer 4 header, Verifies TCP
Sequence and Acknowledgement numbers,
Verifies TCP flags
▪ Inspects traffic
▪ Examines Layer 7 header of packet
▪ Verifies packet conforms to application
specification
▪ Default drop policy
▪ Tight security for unreferenced traffic
Ent. Firewall App Aware: Intra-Zone Security
Zone Zone
SD-WAN
VPN1 VPN1
Fabric
Default Action: D I P
Note:
Optional 5-tuple matching
Default Action: D I P
Note:
Optional 5-tuple matching
Snort
LXC
Control Plane
Virtual Ethernet
Data Plane
Traffic Path
Data Plane
▪ IPS, AMP & URL Filtering services runs on a Linux Container (LXC), using control plane
resources
▪ Traffic is punted to Container using Virtual Port Group (VPG) interface
▪ Reserved CPU and memory for Container process enables deterministic performance
Intrusion Prevention and Detection Provisioning
Intrusion Prevention and Detection Provisioning (Cont.)
URL Filtering
▪ DNScrypt
▪ Intelligent Proxy
Service-VPN 1 Service-VPN 2
DNS DNS
DNS/Web-Layer Security Provisioning
DNS/Web-Layer Security Provisioning (Cont.)
DNS Security vs. URL Filtering
Looks only at DNS packets (preferred in Spain over URL-F) Looks within HTTP packet.
We have reporting (time, IP addr., domain browsed) in Umbrella portal Can whitelist/blacklist sub-domains.
(comes free with DNA license, user ID and password sent to customer via No reporting/visibility
email)
cloud On-prem
No memory 8GB or
16GB memory (if the URL-F database needs to be on-the-box)
• Comes with Umbrella at DNA-E/A (no enforcement, only monitoring) • Comes with DNA Advantage
• Enforcement with Umbrella Insights in DNA-P • Comes as part of embedded security in a IOSXE SD-WAN Cisco router
with 8GB memory
Configure Proxy CA
TLS/SSL Decryption Policy
TLS/SSL Decryption Policy (Cont.)
TLS/SSL Decryption Policy – Add Network Rule
TLS/SSL Decryption Policy – Add URL Rule
Transformation to Converged Cloud Security Service
Cisco Umbrella Evolution
Cisco’s Strategic Vision
Configure Umbrella SIG
▪ Configured as a
Feature
Template
▪ SIG Interface
▪ SIG Credentials
▪ Applied to
Device Template
Configure Umbrella SIG (Cont.)
Configure Umbrella SIG – Advanced Options
SD-WAN drives Security to Top-of-Mind
Customer Intent
• Protect Card Holder • Protect against liability • Trusted Cloud • Leverage the local
Data • Prevent guest users Applications internet path for all
• Protect Patient Data from disrupting • Provide better user Internet traffic
• Protect against data network experience • Protect against
breaches • Protect the enterprise potential threats from
branch coming in
Compliance Guest Access Direct Cloud Access Direct Internet Access
Simplified Packaging
DNA Premier
DNA Advantage Advanced Cloud Security Use-
Cloud-Scale SD-WAN Cases
DNA Essentials Use-Cases
Comprehensive Malware
Standard SD-WAN Malware Protection and URL-Filtering2 Protection w/ Sandboxing
Use-Cases (<50 Sites)
Application-based SLA Application Optimization for Multi-Cloud Umbrella Insights
Branch Security with Firewall and IPS Multi-Domain End-End Policy and Segmentation3
Includes Advantage
WAN Automation and Ease of Management Rich Services - Integrated Voice and Wan Opt4
FEC,
Full Mesh Basic Telemetry Unlimited Single Automated
Packet Dup
Hub Spoke, Visibility Segmentation, Orchestration for AMP, URL Service Stitching
Application FW,
Dynamic Routing (vManage) Fabric Multicast Cloud, Branch & Filter for Cisco and 3rd
IPS1
Support Colo Party VNFs
Includes Essentials
(1) (2) (3)(4) Capabilities supported only on ISR and CSR
Cisco DNA SD-WAN Licensing
Capability Based Packaging
Umbrella Insights
Fabric Multicast Integrated Voice Support (SRST Unlimited Segmentation SaaS Optimization
/FXO/ FXS)
Advantage
Automated Service Stitching for3rd Web Caching for WAN URL-Filtering2 Cloud OnRamp for IaaS (AWS and
Party VNF Optimization Azure)
Integrated Border for SDA and ACI Advanced Malware Protection2 WAN Analytics (vAnalytics)
DRE for WAN Optimization
▪ Deployment Guide:
https://community.cisco.com/t5/networking-documents/sd-wan-security-deployment-guide/ta-
p/3709936
▪ Configuration Guide:
https://www.cisco.com/c/en/us/support/routers/sd-wan/products-installation-and-configuration-
guides-list.html
▪ Troubleshooting Guide:
https://community.cisco.com/t5/networking-documents/sd-wan-security-troubleshooting-guide/ta-
p/3735301